Against that background, on December 2019, March 6 and May 19, 2020, the CNIL carried out three remote inspections of the amazon.fr website and an onsite inspection at the premises of the French establishment of the Amazon group, Amazon Online France SAS. On March 16, 2020, the CNIL also carried out a remote inspection of the google.fr site. These inspections aimed to verify whether Google LLC and Google Ireland Limited and Amazon Europe Core complied with the French Data Protection Act, and in particular with its Article 82, when setting or reading non-essential cookies on the devices of users living in France who visited google.fr and amazon.fr websites. In its press releases, the CNIL stressed that its sanctions against Google and Amazon punished breaches of obligations that existed before the GDPR and are not part of the obligations clarified by the new Guidelines and Recommendations.
CNIL’s Jurisdiction Over Google Ireland Limited’s and Amazon Europe Core’s Cookie Practices
Google and Amazon challenged the jurisdiction of the CNIL arguing that (1) the cooperation mechanism of the GDPR (known as the one-stop-shop mechanism) should apply and the CNIL is not their lead supervisory authority for the purposes of that mechanism; and (2) their cookie practices do not fall within the territorial scope of the French Data Protection Act. Pursuant to Article 3 of the French Data Protection Act, it applies to the processing of personal data carried out in the context of the activities of an establishment of a data controller (or data processor) in France. In that respect, Amazon argued that its French establishment was not involved in the setting of cookies on the amazon.fr site and that there is no inextricable link between the activities of the French establishment and the setting of cookies by Amazon Europe Core, the Luxembourg affiliate of the Amazon group, responsible for the European Amazon websites, including the French site. Google argued that, because the one-stop-shop mechanism should apply, its Irish affiliate, Google Ireland Limited, is the actual headquarters of the Google group in Europe and thus its main establishment for the purposes of the one-stop-shop mechanism. Accordingly, the Irish Data Protection Commissioner would be the only competent supervisory authority.
Inapplicability of the One-Stop-Shop Mechanism of the GDPR
In the initial version of its Guidelines, the CNIL made clear that it may take any corrective measures and sanctions under Article 82 of the French Data Protection Act, independently of the GDPR’s cooperation and consistency mechanisms, because the French cookie rules are based on the EU ePrivacy Directive and not the GDPR. Unsurprisingly, therefore, the CNIL rejected the arguments of Google and Amazon, considering that the EU ePrivacy Directive provides for its own mechanism, designed to implement and control its application. Accordingly, the CNIL concluded that the one-stop-shop mechanism of the GDPR does not apply to the enforcement of the provisions of the EU ePrivacy Directive, as implemented under French law.
To prevent such a situation in the future and ensure consistent interpretation and enforcement of both sets of rules, the European Data Protection Board (the “EDPB”) has called for the GDPR’s cooperation and consistency mechanism to be used for the supervision of the future cookie rules under the ePrivacy Regulation, which will replace the ePrivacy Directive. The CNIL did not wish to pre-empt this future development, and applied the relevant texts literally in its cases against Google and Amazon.
CNIL’s Territorial Jurisdiction
Controllership Status of Google LLC
Following his investigation, the Rapporteur of the CNIL considered that Google Ireland Limited and Google LLC are joint controllers in respect of the processing consisting in accessing or storing information on the device of Google Search users living in France.
Google argued that Google Ireland Limited is solely responsible for those operations and that Google LLC is a processor. Google stressed that (1) its Irish affiliate participates in the various decision-making bodies and in the different stages of the decision-making process implemented by the group to define the characteristics of the cookies set on Google Search; and (2) differences exist between the cookies set on European users’ devices and those set on the devices of other users (e.g., shorter retention periods, no personalized ads served to children within the meaning of the GDPR, etc.), which demonstrate the decision-making autonomy of Google Ireland Limited.
In its decision, the CNIL found that Google LLC is also represented in the bodies that adopt decisions relating to the deployment of Google products within the European Economic Area and in Switzerland, and to the processing of personal data of users living in those regions. The CNIL also found that Google LLC exercises a decisive influence in those decision-making bodies. The CNIL further found that the differences in the cookie practices were just differences in implementation, mainly intended to comply with EU law. According to the CNIL, those differences do not affect the global advertising purpose for which the cookies are used. In the CNIL’s view, this purpose is also determined by Google LLC, and the differences invoked by Google are not sufficient to demonstrate the decision-making autonomy of Google Ireland Limited. In addition, the CNIL found that Google LLC also participates in the determination of the means of processing since Google LLC designs and builds the technology of cookies set on the European users’ devices. The CNIL concluded that Google LLC and Google Ireland Limited are joint controllers.
Setting of advertising cookies without obtaining the user’s prior consent
The CNIL’s inspection of the google.fr website revealed that, when users visited that site, seven cookies were automatically set on their device. Four of these cookies were advertising cookies.
In the case of Amazon, the investigation revealed that, whenever users first visited the home page of the amazon.fr website or visited the site after they clicked on an ad published on another site, more than 40 advertising cookies were automatically set on their device.
Since advertising cookies require users’ prior consent, the CNIL concluded that the companies failed to comply with the cookie consent requirement of Article 82 of the French Data Protection Act.
Lack of adequate information provided to users
Opt-out mechanism partially defective
In the case of Google, the CNIL also found that, when a user deactivated the ad personalization on Google Search by using the mechanism available from the “Access now” button, one of the advertising cookies was still stored on the user’s device and kept reading information destined for the server to which the cookie was attached. The CNIL concluded that the opt-out mechanism was partially defective.
In setting the fines in both cases, the CNIL took into account the seriousness of the breaches of Article 82 of the French Data Protection Act, the high number of users affected by those breaches, and the financial benefits deriving from the advertising income indirectly generated from the data collected by the advertising cookies. Interestingly, in the case of Google, the CNIL cited a decision of the French Competition Authority and referred to Google’s dominant position in the online search market.
The CNIL addressed its decisions to the French establishment of the companies in order to enforce these decisions. The companies have four months to appeal the respective decision before France’s highest administrative court (Conseil d’Etat).